UK IoT Security Regulation Empowers Consumers to Demand Safer Connected Devices

The UK government is advancing a comprehensive regulatory framework for Internet of Things (IoT) devices, aligning with a worldwide push to secure the rapidly expanding IoT ecosystem, according to Mike Nelson, Vice President of IoT Security at DigiCert.

For years, IoT products have hit the market with critical vulnerabilities, enabling novel threat vectors—from hackable cars to dolls that double as remote surveillance tools—alongside large‑scale incidents like the Mirai botnet that jeopardized core internet infrastructure. These risks spurred the UK’s regulatory response.

The new regulations build on the 2018 Code of Practice, ‘Secure by Design’, which already offered manufacturers and consumers a set of best‑practice guidelines. These include secure credential storage, minimized attack surfaces, ongoing software integrity and updates, and encrypted communication.

While the 2018 Code was intended to be voluntary, the government has now moved to make key provisions mandatory. Regulators will enforce at least three core requirements.

Three Guidelines

Firstly, IoT passwords must be unique and cannot be reset to a factory default, eliminating the risk of attackers exploiting default credentials.

Secondly, manufacturers are required to publish a public contact for vulnerability disclosures, enabling rapid reporting and remediation of security flaws.

Thirdly, device makers must disclose the minimum duration for which security updates will be provided, giving consumers a clear horizon for off‑boarding or additional security measures.

Devices that meet these criteria can display a government‑approved security seal, signalling trust to consumers.

IoT Security Transferred to Consumers

Historically, manufacturers—and sometimes enterprise security teams—bore responsibility for device security. The ‘Secure by Design’ certification shifts that decision‑making to the end user, allowing shoppers to evaluate risk before integrating a device into a protected network.

When consumers factor security into purchase decisions, manufacturers are compelled to innovate rather than cut corners. Historically, insecurity was cheaper; now, security can become a market differentiator.

The calculation has long been made too late. Until now, incentives—both carrot and stick—were missing for manufacturers. While the new regulation won’t eliminate all vulnerabilities, it provides a constructive framework that rewards proactive security design.

The author is Mike Nelson, VP of IoT Security, DigiCert

About the Author

Mike Nelson is the VP of IoT Security at DigiCert, a global provider of digital security. In this role, Mike oversees the company’s strategic market development for critical infrastructure industries, securing highly sensitive networks and IoT devices across healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at conferences about how technology can improve cybersecurity for critical systems and the people who rely upon them.

Mike has spent his career in healthcare IT, including stints at the U.S. Department of Health and Human Services, GE Healthcare, and Leavitt Partners—a boutique healthcare consulting firm. His passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.